A Credentials_Manager is a way to abstract how the application
stores credentials in a way that is usable by protocol
implementations. Currently the main user is the Transport Layer Security (TLS)
implementation.

When type is “tls-client”, context will be the hostname of
the server, or empty if the hostname is not known.

When type is “tls-server”, the context will again be the
hostname of the server, or empty if the client did not send a
server name indicator. For TLS servers, these CAs are the ones
trusted for signing of client certificates. If you do not want
the TLS server to ask for a client cert,
trusted_certificate_authorities should return an empty list
for type “tls-server”.

One important special case for psk is where type is
“tls-server”, context is “session-ticket” and identity is an
empty string. If a key is returned for this case, a TLS server
will offer session tickets to clients who can use them, and the
returned key will be used to encrypt the ticket. The server is
allowed to change the key at any time (though changing the key
means old session tickets can no longer be used for resumption,
forcing a full re-handshake when the client next connects). One
simple approach to add support for session tickets in your server
is to generate a random key the first time psk is called to
retrieve the session ticket key, cache it for later use in the
Credentials_Manager, and simply let it be thrown away when the
process terminates.